Testing signatures from the command line

Showing 1-2 of 2 messages
Testing signatures from the command line Christopher Piggott 11/10/11 8:25 AM

I am trying to verify signatures from the command line, just as a
test.  Steps I took:

1) generate the key with:
   openssl req -x509 \
        -nodes \
        -days 365 \
        -newkey rsa:1024 \
        -sha1 \
        -subj '/C=US/ST=NY/ [ other stuff ]' \
       -keyout privatekey.pem \
       -out certificate.pem

2) upload certificate.pem into google domain manager

3) make a request, and capture the verification.  Google says it has
signed  17 fields:


4) In the exact same order as listed above, put all those fields in
the Key-Value Form Encoding format.  I'm going to obscure what it
actually returned, but basically show you the idea of what this looks
like below:



There are a total of 17 of these, each line ends in \n.

4) Google sent me an openid.sig ... I turned this into hex by doing

    echo $SIGNATURE | base64 -d | hexdump -v -e '/1 "%02X "'

and I ended up with 20 bytes (160 bits) which matches an SHA1
signature, which is what I expected.

So here's the question.  Can I use the Key-Value Form Encoding file
that I created, and the privatekey.pem file, to verify the signature
myself using

    openssl dgst -hmac (something) ?

I haven't figured it out yet, but it seems like there must be a way.

Re: [google-federated-login-api] Testing signatures from the command line John Bradley 11/14/11 6:02 AM
OpenID 2.0 uses symmetric HMAC signatures.  

I don't know what the RSA key is for in your example.

You must perform an association call and get a secret and association handle first.

The association handle must be part of the request.

You then perform a HMAC SHA1 verification of the response using the body and the secret.

The openID 2.0 spec provides the information.

So the answer is no the pem file has nothing to do with the openID signature.

John B.

> --
> You received this message because you are subscribed to the Google Groups "Google Federated Login API" group.
> To post to this group, send email to google-federa...@googlegroups.com.
> To unsubscribe from this group, send email to google-federated-login-api+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-federated-login-api?hl=en.